puma 6.3.0 → 6.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puma might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/History.md +5 -0
- data/lib/puma/client.rb +15 -8
- data/lib/puma/const.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: dcbde9283993550beb848a4f777bf9d33a1e163f5356cfeeb40be3eede72e7d0
|
|
4
|
+
data.tar.gz: 5394fdd8307e5a1fd40c7cf560d01565a6a9d69fd0fa0006ff6b28e483e627aa
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 473b3047986b69763e01fb3b3f7fc1137070cb041ae235e520216e568860295a3b0ed105e4c52ee1d3aa05353d1b247e0782a1aa7bde840a540200f21d84320b
|
|
7
|
+
data.tar.gz: 69e625526fcc0b7216a419326e172114ed0ba4c7842722c1f896ed4d2fd559e4b58ea31f95a7ca52d37f11b5930433cfa6faab3f510996a39b1de3d3ff46d2a7
|
data/History.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 6.3.1 / 2023-08-18
|
|
2
|
+
|
|
3
|
+
* Security
|
|
4
|
+
* Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8))
|
|
5
|
+
|
|
1
6
|
## 6.3.0 / 2023-05-31
|
|
2
7
|
|
|
3
8
|
* Features
|
data/lib/puma/client.rb
CHANGED
|
@@ -49,7 +49,8 @@ module Puma
|
|
|
49
49
|
|
|
50
50
|
# chunked body validation
|
|
51
51
|
CHUNK_SIZE_INVALID = /[^\h]/.freeze
|
|
52
|
-
CHUNK_VALID_ENDING =
|
|
52
|
+
CHUNK_VALID_ENDING = Const::LINE_END
|
|
53
|
+
CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
|
|
53
54
|
|
|
54
55
|
# Content-Length header value validation
|
|
55
56
|
CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
|
|
@@ -382,8 +383,8 @@ module Puma
|
|
|
382
383
|
cl = @env[CONTENT_LENGTH]
|
|
383
384
|
|
|
384
385
|
if cl
|
|
385
|
-
# cannot contain characters that are not \d
|
|
386
|
-
if CONTENT_LENGTH_VALUE_INVALID.match? cl
|
|
386
|
+
# cannot contain characters that are not \d, or be empty
|
|
387
|
+
if CONTENT_LENGTH_VALUE_INVALID.match?(cl) || cl.empty?
|
|
387
388
|
raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
|
|
388
389
|
end
|
|
389
390
|
else
|
|
@@ -544,7 +545,7 @@ module Puma
|
|
|
544
545
|
|
|
545
546
|
while !io.eof?
|
|
546
547
|
line = io.gets
|
|
547
|
-
if line.end_with?(
|
|
548
|
+
if line.end_with?(CHUNK_VALID_ENDING)
|
|
548
549
|
# Puma doesn't process chunk extensions, but should parse if they're
|
|
549
550
|
# present, which is the reason for the semicolon regex
|
|
550
551
|
chunk_hex = line.strip[/\A[^;]+/]
|
|
@@ -556,13 +557,19 @@ module Puma
|
|
|
556
557
|
@in_last_chunk = true
|
|
557
558
|
@body.rewind
|
|
558
559
|
rest = io.read
|
|
559
|
-
|
|
560
|
-
if rest.bytesize < last_crlf_size
|
|
560
|
+
if rest.bytesize < CHUNK_VALID_ENDING_SIZE
|
|
561
561
|
@buffer = nil
|
|
562
|
-
@partial_part_left =
|
|
562
|
+
@partial_part_left = CHUNK_VALID_ENDING_SIZE - rest.bytesize
|
|
563
563
|
return false
|
|
564
564
|
else
|
|
565
|
-
|
|
565
|
+
# if the next character is a CRLF, set buffer to everything after that CRLF
|
|
566
|
+
start_of_rest = if rest.start_with?(CHUNK_VALID_ENDING)
|
|
567
|
+
CHUNK_VALID_ENDING_SIZE
|
|
568
|
+
else # we have started a trailer section, which we do not support. skip it!
|
|
569
|
+
rest.index(CHUNK_VALID_ENDING*2) + CHUNK_VALID_ENDING_SIZE*2
|
|
570
|
+
end
|
|
571
|
+
|
|
572
|
+
@buffer = rest[start_of_rest..-1]
|
|
566
573
|
@buffer = nil if @buffer.empty?
|
|
567
574
|
set_ready
|
|
568
575
|
return true
|
data/lib/puma/const.rb
CHANGED
|
@@ -100,7 +100,7 @@ module Puma
|
|
|
100
100
|
# too taxing on performance.
|
|
101
101
|
module Const
|
|
102
102
|
|
|
103
|
-
PUMA_VERSION = VERSION = "6.3.
|
|
103
|
+
PUMA_VERSION = VERSION = "6.3.1"
|
|
104
104
|
CODE_NAME = "Mugi No Toki Itaru"
|
|
105
105
|
|
|
106
106
|
PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
|